Server Auditing

As the title sounds pretty grave let’s understand what it exactly means. Server Auditing is where you want to know-

  • Who is successfully logging into your server and when?
  • What are commands the user or process is executing on your server?
  • Who is failing to log in to your server and when?
  • What are the processes that are running on your server, what are the ports that are being used, at any given time?
  • What are the files that are being modified and what are the modifications to the file?
  • Is there any new user/group added, is there any modification to the existing user/group.

These are a few essential cases why we audit on the servers to enhance its security.

Why do we need this?
You must have heard about the security breach caused on Facebook servers, which they realized later. These security breaches can be eradicated or defended to a great extent if we continuously audit and monitor our servers.

How do we do this?
Coming to how to implement this, we have two routes –

Open Source(free tools) –
1. Ossec
2. Apache metron
3. Audit Beat by Elastic
4. SIEMonster
Several additional players are as well in the market.

Paid versions –
1. ThreadStack
2. Audit Beat by Elastic
3. Splunk to an extent
4. Nagios 
5. AlienVault OSSIM
Several additional players are as well in the market.

Audit Beat by Elastic, when combined with elasticsearch and Kibana is my personal preference. You have both free and paid flavors for this. I would recommend to use the free version, opt to the paid only if you feel that the free version couldn’t do what you want it to do.

Audit Beat working –

Beats are lightweight shippers. You should install Audit Beats on all the servers, which you want to audit. And this audit beat should be configured to send out the audit logs to Elastic search, which indexes and enriches the data. Later, this can be visualized on Kibana, where you can have dashboards for this.

Server auditing is no more an enrichment, rather it’s a mandatory requirement.

Published by Ritesh Kumar Reddy

I(Ritesh) work as a Sr. Cloud Engineer for a living. Learning new technologies has always been my hobby. Why not share it? Here is the brainchild – blogging to share the knowledge. This blog is for those who wish to start or already into the Cloud field. Each article briefly talks about a tool/technology that is used in the Cloud model. Once you read the article, I hope, you get a kick start regarding the specific tool/technology.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: